[BreachExchange] WHOIS embarrassed about security? APNIC, after database leaks

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 24 18:12:40 EDT 2017


https://www.theregister.co.uk/2017/10/24/apnic_plugs_database_leak_resets_
passwords/

Asia's internet numbers registry APNIC has apologised to network owners
after a slip in its WHOIS database config leaked credentials, including
weakly-hashed passwords.

The breach affected those in the regional registry's Maintainer and
Incident Response Team (IRT) database objects. During a June 2017 upgrade,
those details were included in downloadable WHOIS data.

“Maintainer” is the administrative object that restricts who is allowed to
edit other objects in the APNIC database; the IRT object identifies who
receives abuse reports.

Chris Barcellos of eBay's Red Team noticed the data on a third-party
Website on October 12 and notified APNIC. The registry's deputy general
director Sanjaya* writes that the database configuration was fixed on
October 13, and subsequently the relevant passwords were reset.

Had an attacker been able to recover the passwords, they could have altered
WHOIS information or hijacked IP address blocks.

As this configuration guide shows, one of the hash options available is
crypt-pw, a weak and easily-reversed hash because it can only handle
eight-character passwords.

APNIC says it hasn't found evidence of malicious activity as the result of
the breach. Had anybody altered the records, it would not have been
permanent, since “authoritative registry data is held internally by APNIC”.
®

* Sanjaya uses just one name.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171024/e224f172/attachment.html>


More information about the BreachExchange mailing list